Added databricks_views data resource (#1283)

* Added `databricks_views` data resource for listing of views in Unity Catalog managed schema
* Made `databricks_tables` return only managed or external tables in Unity Catalog.

Fix #1274

Author: nfx

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Version changelog
 
+## 0.5.6
+
+* Added `databricks_views` data resource, making `databricks_tables` return only managed or external tables in Unity Catalog ([#1274](https://github.com/databrickslabs/terraform-provider-databricks/issues/1274)).
+
 ## 0.5.5
 
 * Added configuration generators for `databricks_sql_*` resources in _experimental_ [Resource Exporter](https://asciinema.org/a/Rv8ZFJQpfrfp6ggWddjtyXaOy) ([#1199](https://github.com/databrickslabs/terraform-provider-databricks/pull/1199)).

catalog/data_tables.go

@@ -21,7 +21,9 @@ func DataSourceTables() *schema.Resource {
 			return err
 		}
 		for _, v := range tables.Tables {
-			data.Ids = append(data.Ids, v.FullName())
+			if v.TableType != "VIEW" {
+				data.Ids = append(data.Ids, v.FullName())
+			}
 		}
 		return nil
 	})

catalog/data_views.go

@@ -0,0 +1,30 @@
+package catalog
+
+import (
+	"context"
+
+	"github.com/databrickslabs/terraform-provider-databricks/common"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func DataSourceViews() *schema.Resource {
+	type viewsData struct {
+		CatalogName string   `json:"catalog_name"`
+		SchemaName  string   `json:"schema_name"`
+		Ids         []string `json:"ids,omitempty" tf:"computed,slice_set"`
+	}
+	return common.DataResource(viewsData{}, func(ctx context.Context, e interface{}, c *common.DatabricksClient) error {
+		data := e.(*viewsData)
+		tablesAPI := NewTablesAPI(ctx, c)
+		tables, err := tablesAPI.listTables(data.CatalogName, data.SchemaName)
+		if err != nil {
+			return err
+		}
+		for _, v := range tables.Tables {
+			if v.TableType == "VIEW" {
+				data.Ids = append(data.Ids, v.FullName())
+			}
+		}
+		return nil
+	})
+}

catalog/data_views_test.go

@@ -0,0 +1,53 @@
+package catalog
+
+import (
+	"testing"
+
+	"github.com/databrickslabs/terraform-provider-databricks/qa"
+)
+
+func TestViewsData(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/unity-catalog/tables/?catalog_name=a&schema_name=b",
+				Response: Tables{
+					Tables: []TableInfo{
+						{
+							CatalogName: "a",
+							SchemaName: "b",
+							Name: "c",
+							TableType: "MANAGED",
+						},
+						{
+							CatalogName: "a",
+							SchemaName: "b",
+							Name: "d",
+							TableType: "VIEW",
+						},
+					},
+				},
+			},
+		},
+		Resource: DataSourceViews(),
+		HCL: `
+		catalog_name = "a"
+		schema_name = "b"`,
+		Read:        true,
+		NonWritable: true,
+		ID:          "_",
+	}.ApplyAndExpectData(t, map[string]interface{}{
+		"ids": []string{"a.b.d"},
+	})
+}
+
+func TestViewsData_Error(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures:    qa.HTTPFailures,
+		Resource:    DataSourceViews(),
+		Read:        true,
+		NonWritable: true,
+		ID:          "_",
+	}.ExpectError(t, "I'm a teapot")
+}

docs/data-sources/tables.md

@@ -5,20 +5,27 @@ subcategory: "Unity Catalog"
 
 -> **Note** If you have a fully automated setup with workspaces created by [databricks_mws_workspaces](../resources/mws_workspaces.md) or [azurerm_databricks_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/databricks_workspace), please make sure to add [depends_on attribute](../index.md#data-resources-and-authentication-is-not-configured-errors) in order to prevent _authentication is not configured for provider_ errors.
 
-Retrieves a list of [databricks_table](../resources/table.md) ids, that were created by Terraform or manually, so that special handling could be applied.
+Retrieves a list of managed or external table full names in Unity Catalog, that were created by Terraform or manually. Use [databricks_views](views.md) for retrieving a list of views.
 
 ## Example Usage
 
-Listing all tables in a _things_ [databricks_schema](../resources/schema.md) from _sandbox_ [databricks_catalog](../resources/catalog.md):
+Granting `SELECT` and `MODIFY` to `sensitive` group on all tables a _things_ [databricks_schema](../resources/schema.md) from _sandbox_ [databricks_catalog](../resources/catalog.md):
 
 ```hcl
 data "databricks_tables" "things" {
   catalog_name = "sandbox"
-  schema_name  = "things"
+  schema_name = "things"
 }
 
-output "all_things_tables" {
-  value = data.databricks_tables.things
+resource "databricks_grants" "things" {
+  for_each = data.databricks_tables.things.ids
+  
+  table = each.value
+
+  grant {
+    principal  = "sensitive"
+    privileges = ["SELECT", "MODIFY"]
+  }
 }
 ```
 

docs/data-sources/views.md

@@ -0,0 +1,49 @@
+---
+subcategory: "Unity Catalog"
+---
+# databricks_views Data Source
+
+-> **Note** If you have a fully automated setup with workspaces created by [databricks_mws_workspaces](../resources/mws_workspaces.md) or [azurerm_databricks_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/databricks_workspace), please make sure to add [depends_on attribute](../index.md#data-resources-and-authentication-is-not-configured-errors) in order to prevent _authentication is not configured for provider_ errors.
+
+Retrieves a list of view full names in Unity Catalog, that were created by Terraform or manually. Use [databricks_tables](tables.md) for retrieving a list of tables.
+
+## Example Usage
+
+Granting `SELECT` and `MODIFY` to `sensitive` group on all views in a _things_ [databricks_schema](../resources/schema.md) from _sandbox_ [databricks_catalog](../resources/catalog.md).
+
+```hcl
+data "databricks_views" "things" {
+  catalog_name = "sandbox"
+  schema_name = "things"
+}
+
+resource "databricks_grants" "things" {
+  for_each = data.databricks_views.things.ids
+  
+  view = each.value
+
+  grant {
+    principal  = "sensitive"
+    privileges = ["SELECT", "MODIFY"]
+  }
+}
+```
+
+## Argument Reference
+
+* `catalog_name` - (Required) Name of [databricks_catalog](../resources/catalog.md)
+* `schema_name` - (Required) Name of [databricks_schema](../resources/schema.md)
+
+## Attribute Reference
+
+This data source exports the following attributes:
+
+* `ids` - set of [databricks_table](../resources/table.md) full names: *`catalog`.`schema`.`view`*
+
+## Related Resources
+
+The following resources are used in the same context:
+
+* [databricks_table](../resources/table.md) to manage tables within Unity Catalog.
+* [databricks_schema](../resources/schema.md) to manage schemas within Unity Catalog.
+* [databricks_catalog](../resources/catalog.md) to manage catalogs within Unity Catalog.

docs/resources/grants.md

@@ -90,6 +90,26 @@ resource "databricks_grants" "customers" {
 }
 ```
 
+You can also apply grants dynamically with [databricks_tables](../data-sources/tables.md) data resource:
+
+```hcl
+data "databricks_tables" "things" {
+  catalog_name = "sandbox"
+  schema_name = "things"
+}
+
+resource "databricks_grants" "things" {
+  for_each = data.databricks_tables.things.ids
+  
+  table = each.value
+
+  grant {
+    principal  = "sensitive"
+    privileges = ["SELECT", "MODIFY"]
+  }
+}
+```
+
 ## View grants
 
 You can grant `SELECT` privileges to [*`catalog`*.*`database`*.*`view`*](table.md) specified in `view` attribute. You can define a view through [databricks_table](table.md) resource.
@@ -104,6 +124,26 @@ resource "databricks_grants" "customer360" {
 }
 ```
 
+You can also apply grants dynamically with [databricks_views](../data-sources/views.md) data resource:
+
+```hcl
+data "databricks_views" "customers" {
+  catalog_name = "main"
+  schema_name = "customers"
+}
+
+resource "databricks_grants" "customers" {
+  for_each = data.databricks_views.customers.ids
+  
+  view = each.value
+
+  grant {
+    principal  = "sensitive"
+    privileges = ["SELECT", "MODIFY"]
+  }
+}
+```
+
 ## Storage credential grants
 
 You can grant `CREATE_TABLE`, `READ_FILES`, and `WRITE_FILES` privileges to [databricks_storage_credential](storage_credential.md) id specified in `storage_credential` attribute:

docs/resources/sql_permissions.md

@@ -3,9 +3,7 @@ subcategory: "Security"
 ---
 # databricks_sql_permissions Resource
 
--> **Note** Please switch to [databricks_grants](grants.md) with Unity Catalog to manage data access, which provides better and faster way for managing data security. `databricks_grants` resource *doesn't require a technical cluster to perform operations*. `databricks_sql_permissions` will be removed, once Unity Catalog is Generally Available.
-
--> **Note** On workspaces with Unity Catalog enabled, you may run into errors such as `Error: cannot create sql permissions: cannot read current grants: For unity catalog, please specify the catalog name explicitly. E.g. SHOW GRANT ``[email protected]`` ON CATALOG main`. This happens if your `default_catalog_name` was set to a UC catalog instead of `hive_metastore`. The workaround is to re-assign the metastore again with the default catalog set to be `hive_metastore`. See [databricks_metastore_assignment](metastore_assignment.md).
+-> **Note** Please switch to [databricks_grants](grants.md) with Unity Catalog to manage data access, which provides better and faster way for managing data security. `databricks_grants` resource *doesn't require a technical cluster to perform operations*. On workspaces with Unity Catalog enabled, you may run into errors such as `Error: cannot create sql permissions: cannot read current grants: For unity catalog, please specify the catalog name explicitly. E.g. SHOW GRANT ``[email protected]`` ON CATALOG main`. This happens if your `default_catalog_name` was set to a UC catalog instead of `hive_metastore`. The workaround is to re-assign the metastore again with the default catalog set to be `hive_metastore`. See [databricks_metastore_assignment](metastore_assignment.md).
 
 This resource manages data object access control lists in Databricks workspaces for things like tables, views, databases, and [more](https://docs.databricks.com/security/access-control/table-acls/object-privileges.html). In order to enable Table Access control, you have to login to the workspace as administrator, go to `Admin Console`, pick `Access Control` tab, click on `Enable` button in `Table Access Control` section, and click `Confirm`. The security guarantees of table access control **will only be effective if cluster access control is also turned on**. Please make sure that no users can create clusters in your workspace and all [databricks_cluster](cluster.md) have approximately the following configuration:
 

provider/provider.go

@@ -52,6 +52,7 @@ func DatabricksProvider() *schema.Provider {
 			"databricks_schemas":                 catalog.DataSourceSchemas(),
 			"databricks_spark_version":           clusters.DataSourceSparkVersion(),
 			"databricks_tables":                  catalog.DataSourceTables(),
+			"databricks_views":                   catalog.DataSourceViews(),
 			"databricks_user":                    scim.DataSourceUser(),
 			"databricks_zones":                   clusters.DataSourceClusterZones(),
 		},

qa/testing.go

@@ -265,6 +265,12 @@ func (f ResourceFixture) ApplyAndExpectData(t *testing.T, data map[string]interf
 	for k, expected := range data {
 		if k == "id" {
 			assert.Equal(t, expected, d.Id())
+		} else if that, ok := d.Get(k).(*schema.Set); ok {
+			this := expected.([]string)
+			assert.Equal(t, len(this), that.Len(), "set has different length")
+			for _, item := range this {
+				assert.True(t, that.Contains(item), "set does not contain %s", item)
+			}
 		} else {
 			assert.Equal(t, expected, d.Get(k))
 		}